Darknetlive

Florida Darkweb Vendor Forfeits $34 Million in Crypto

A darkweb vendor in Florida forfeited $34 million worth of illicitly earned cryptocurrency.

According to an announcement from the U.S. Attorney’s Office for the Southern District of Florida, a judge entered a default judgment in favor of the United States against $34 million* worth of cryptocurrency seized from a darkweb vendor. The forfeiture includes 640.26804512 BTC, 640.2716098 Bitcoin Cash, 640.2715428 Bitcoin Gold, 640.2716043 Bitcoin S.V., and 919.30711258 ETH. According to prosecutors, the forfeiture is “one of the largest cryptocurrency forfeiture actions ever filed by the United States.”

A picture of The majority of Bitcoin sent to the defendant's wallet came from a darkweb market.

The majority of Bitcoin sent to the defendant's wallet came from a darkweb market.

The forfeiture action results from an investigation into a prolific seller of hacked online account information on an unspecified darkweb marketplace. According to investigators, in January 2017, the vendor (identified only as “Moniker 1”) had completed more than 100,000 transactions. This number increased during the investigation. The completed transactions included several purchases by undercover law enforcement officers, including:

  • On or about January 29, 2016, an undercover law enforcement officer purchased ten (10) Netflix accounts usernames and passwords from Moniker 1 on a Dark Web marketplace for approximately 0.00132443 bitcoins;
  • On or about April 20, 2016, an undercover law enforcement officer purchased one World Wrestling Entertainment account username and password from Moniker 1 on a Dark Web marketplace for approximately 0.01134 bitcoins;
  • On or about September 14, 2016, an undercover law enforcement officer purchased sixty Uber accounts usernames and passwords from Moniker 1 on a Dark Web marketplace for approximately 0.0824 bitcoins;
  • On or about March 7, 2017, an undercover law enforcement officer purchased three (3) Xfinity accounts usernames and passwords from Moniker 1 on a Dark Web marketplace for approximately 0.040 bitcoins; and
  • On or about March 13, 2017, an undercover law enforcement officer purchased one (1) HBOGO account username and password and one (1) Showtime account username and password from Moniker 1 on a Dark Web marketplace for approximately 0.0118 bitcoins.

Court documents identified Alphabay as a market used by the defendant. The defendant admitted conducting “transactions using Bitcoin, Ethereum, and other cryptocurrencies” on Silk Road, Agora, Nucleus, AlphaBay, Dream Market, Abraxas, Sheep, and Evolution. I think only Alphabay and Dream meet the conditions for the market where investigators conducted undercover purchases.

A picture of The defendant transacted on several markets but specifically admitted selling only on AlphaBay.

The defendant transacted on several markets but specifically admitted selling only on AlphaBay.

“In or around 2016, law enforcement agents identified two residences in Florida linked to Moniker 1 after Moniker 1 provided the addresses as the shipping address when he or she previously purchased narcotics from Dark Web marketplaces,” according to court documents.

The person associated with the shipping addresses lived at a residence in Parkland, Florida. Investigators identified the resident. Then, presumably using a pen register, investigators monitored internet traffic to and from the Comcast I.P. address associated with the residence.

“Internet traffic to and from the Comcast I.P. address between in or around December 2016 and March 2017 revealed numerous internet connections from the Parkland Residence on the TOR network. In addition, the internet traffic data showed correlations between when the TOR network was accessed at the Parkland Residence and when messages were received from Moniker 1 by the law enforcement officer(s) making the undercover purchases.”

Police identified the defendant’s PNC bank account and obtained copies of their transaction history. The transactions made by the defendant were “consistent with that of a Dark Web vendor converting virtual currency into cash using LocalBitcoins.com,” according to court documents.

On May 16, 2017, law enforcement agents executed a federal search warrant for the defendant’s residence in Parkland. The items seized by police included a laptop owned by the defendant. The seizures of the defendant’s various cryptocurrency wallets took place from May 2017 through June 2017.

On May 16, 2017, police seized 919.30711258 ETH from the Ethereum wallet address 0x71949d87258c4ca6827730c337f80907d73c7800. In June 2017, police seized 418.51177 BTC from the Bitcoin wallet address 12EZr5x8mFpxS6ypNobhPXmyj4BbRkm6GW and 221.76 BTC “formerly held” in the same wallet.

Blockchain analysis revealed that approximately ninety-six percent of the Bitcoin in the defendant’s wallet came from darkweb marketplaces or exchanges. Over fifty percent of outgoing transfers were made to peer-to-peer exchanges, including LocalBitcoins.com.

“Individual 1 told law enforcement agents that he or she obtained the ether in the Ethereum 7800 Wallet by converting bitcoins earned from unlawful online Dark Web transactions involving the sale of hacked online account information. Individual 1 converted the bitcoins to ether using a virtual currency exchange that did not require users to provide personal identifying information until in or around 2019, thus, providing an additional layer of anonymity.”

Based on information from other court documents, ShapeShift appears to be the exchange referenced above.

“Law enforcement agents were able to confirm that Individual 1 exchanged bitcoins obtained from Dark Web marketplaces for the ether held in the Ethereum 7800 Wallet through an analysis of the blockchain history for both the Ethereum 7800 Wallet and Bitcoin m6GW Wallet, the transactional activity at Virtual Currency Exchange 1, and historical exchange rates for the transaction dates.”

“A review of the Ethereum blockchain history showed that approximately 919.30711258 ether was deposited into the Ethereum 7800 Wallet via nine (9) transactions between on or about March 16 and 17, 2017. These deposits were traced back to a known Ethereum address associated with Virtual Currency Exchange 1.

“Further, a review of the blockchain Bitcoin history showed that approximately thirty-two (32) bitcoins were sent via nine (9) transactions from the Bitcoin m6GW Wallet to other Bitcoin addresses, and from those addresses, transfers were made to Virtual Currency Exchange 1.”

“When these blockchain histories were compared with historical exchange rates, the same transfer amounts for the nine (9) transactions were shown on each respective blockchain, further confirming that bitcoins from the Bitcoin m6GW Wallet were converted to the ether coins eventually seized from the Ethereum 7800 Wallet.”

The defendant told investigators that they had “only sold hacked online account information on AlphaBay.” With the defendant’s cooperation, law enforcement officers withdrew 2.65995166 BTC from the defendant’s vendor account on AlphaBay.

In 2021, the defendant signed a consent to forfeiture. On November 3, 2021, the government published a notice about the action on forfeiture.gov. Nobody filed a claim against the action (the defendant was the only claimant). As a result, U.S. District Court Judge Rodney Smith entered a default judgment in favor of the United States, which forfeited the defendant’s right, title, and interest in the seized cryptocurrency.

According to the press release, this case was the result of a so-called “Operation TORnado,” which is apparently a “joint investigation that stems from the ongoing efforts by OCDETF.”

*The complaint for forfeiture lists the value of the seized cryptocurrency as $47 million. The $34 million number appears in the USAO’s announcement.

archive.is/archive.org/justice.gov

Verified Complaint for Forfeiture in rem: pdf

17 Comments
Do you really want to comment here? not rules
854cf3b8
8b384a40 Tue, Apr 5, 2022

“Should have used…”
Well wait nevermind because I smartman admit that I conducted cryptocurrency transactions between theses dates on these markets.

2cf87a42
cb625bf0 Tue, Apr 5, 2022

Refreshing comment, thank you. Correlation attacks are a bitch and LE has to dedicate some serious computing power to back that shit up, which them tax dollars cannot afford that good. But I really like this comment because it shows just how far the US constitution protects cyber criminals, even dumb cyber drug dealers can ride that wave without having to worry about normal wear and tear on their mail pieces… “DNL”

a69f3374
69959fb0 Tue, Apr 5, 2022

Ya man, should hav… but take it from DNM operators of the “past…,” life happens man…

52143608
21bb41d0 Tue, Apr 5, 2022

biggest proof LE can track tor! Desnake warned us about it on dread here real proof

don’t be stupid use proxy vpn put many of them fuck LE fuck noobs on reddit saying use tor only these are FEDS

2a284514
75209280 Tue, Apr 5, 2022

DeSnake is still using Tor to run all of his security features on alpha 2.0 that effectively amount to DDOSing himself, ironically the exact attack he is trying to avoid besides becoming compromised or getting robbed. Again for the paranoid folks on here, if Tor were majorly compromised they would shut down all illegal traffic on Tor and make wide sweeping arrests, another Holy Box argument from Dumb Nigga Live… things will never been the same after the Holy Box article…

a46cf1cb
0df7b010 Tue, Apr 5, 2022

They can’t track Tor. If they have a “warrant” (which presumably needs some solid evidence beforehand), they will, with the help of your internet provider, monitor with which IP addresses your internet connection exchanges traffic. If those are Tor nodes (which isn’t a secret at all), they will compare the times of day where you do Tor traffic with your activity on market places. For that THEY ALREADY NEED TO KNOW your residence, your vendor accounts and so on. They just compare patterns for which they already need a shitload of information on you obtained by other means. Read the article ffs.

97774920
5a6798c0 Wed, Apr 6, 2022

Yeah? No shit the LE can view the outgoing connections you make? “Desnake” should not be responsible for you learning how the software you use works :|

f6616a9c
55afd570 Wed, Apr 20, 2022

This article does not prove LE can track Tor. ISP’s can see when you visit tor (this is public information). The issue here is that he/she did not use a custome bridge to mask themselves from Comcast.

However because of the massive purchasing of exit nodes by LE, the chances of LE exposing IP’s has increased. Another possibility is that LE has Zero-Days which is also very likely.

98c0a778
e94a9030 Tue, Apr 5, 2022

This is why people need to run tor relays and or use tor constantly for legal and illegal sites. If you constantly have tor traffic flowing thru your network the pen register would be much harder to compromise you. We should all assume we are under a pen register.

34da63ae
8a3ec540 Tue, Apr 5, 2022

““In or around 2016, law enforcement agents identified two residences in Florida linked to Moniker 1 after Moniker 1 provided the addresses as the shipping address when he or she previously purchased narcotics from Dark Web marketplaces,” according to court documents”
This part is confusing to me. It says that the vendor provided their address to investigators in some way. I wonder if the vendor got caught ordering drugs and that ruined their digital vending opsec. In most cases digital only vendors are the safest type of vendor because most vendors get caught through the mail. This person was caught because of revealing their address but they may not have been convicted if they had used Tor much more often and not just when they were vending.
Many people seem to make the mistake of only using Tor when they are doing something illegal instead of using Tor as a general browser for most of their web traffic.

cd71a066
1ec56ce0 Tue, Apr 5, 2022

Tor has circuit padding for making onion site visits look like visiting a regular site on the clearnet. There used to be more of a difference in the traffic pattern. You should still use a mix of legal onion services, legal clearnet sites, and illegal onion sites. You should use multiple sites at once to help beat website fingerprinting attacks. You want a mix of traffic flowing through your network all the time and especially when you are fulfilling orders and communicating as a vendor. Use multiple devices with tor on them at the same time as well.
If you use debian based distros you can use apt-transport-tor package to make your software updates go over tor too just to add more tor traffic to your network and also to keep the enemy from knowing what software you are using and what versions which can also be used against you. For example, if they know that you are using an unpatched version of software that has a public exploit, they could try to exploit it before update.

11a9af87
e7021aa0 Wed, Apr 6, 2022

You need to use tor for hours daily. Dedicate many random hours for regular traffic and hours for your prohibited activitys. tor benefits thru constant use as a “mixnet”

6c33fcf1
71192bf0 Fri, Apr 8, 2022

those 919 eth went to a series of 4 or 5 low-nonce wallets, then to coinbase. I sure hope the coinbase transfer was LE’s work. if not, well…

c73ef373
0fb8b470 Fri, Apr 8, 2022

I’m surprised that he was able to deposit that much money into his bank per month. I thought most banks started asking a few questions at around $10,000/month of unknown deposits. But during April he deposited about $15,000 and the bank didn’t give him a second look.

a472876a
b4c64450 Mon, Apr 11, 2022

How did they get his address from the markets? PGP issue, market issue, or did he order from undercover?

886116a3
bffa6990 Tue, Apr 12, 2022

just a guess but probably had a vendor or market compromised, they prob ran his name and it popped up that he made an order as well as provide services there. sounds like it was just dumb OPSEC on his part, not hard to find more evidence once they knew it was him

a1667039
7afffc20 Tue, Apr 12, 2022

He ordered drugs with his address in plaintext and used the backdoored “Encrypt with vendor’s PGP” checkbox while feds were already running the market.
Ridiculous.

New comments are disabled after one month in an attempt to limit spam.